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Introduction 


The Information Commissioner (the Commissioner) is calling for evidence 
and views on the Age Appropriate Design Code (the Code). 


The Code is a requirement of the Data Protection Act 2018 (the Act). The 
Act supports and supplements the implementation of the EU General Data 
Protection Regulation (the GDPR). 


The Code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. Once it has been published, the Commissioner will 
be required to take account of any provisions of the Code she considers to 
be relevant when exercising her regulatory functions. The courts and 
tribunals will also be required to take account of any provisions they 
consider to be relevant in proceedings brought before them. The Code 
may be submitted as evidence in court proceedings. 


Further guidance on how the GDPR applies to children’s personal data can 
be found in our guidance Children and the GDPR. It will be useful to read 
this before responding to the call for evidence, to understand what is 
already required by the GDPR and what the ICO currently recommends as 
best practice. In drafting the Code the ICO may consider suggestions that 
reinforce the specific requirements of the GDPR, or its overarching 
requirement that children merit special protection, but will disregard any 
suggestions that fall below this standard. 


The Commissioner will be responsible for drafting the Code. The Act 
provides that the Commissioner must consult with relevant stakeholders 
when preparing the Code, and submit it to the Secretary of State for 
Parliamentary approval within 18 months of 25 May 2018. She will publish 
the Code once it has been approved by Parliament. 


This call for evidence is the first stage of the consultation process. The 
Commissioner seeks evidence and views on the development stages of 
childhood and age-appropriate design standards for ISS. The 
Commissioner is particularly interested in evidence based submissions 
provided by: bodies representing the views of children or parents; child 
development experts; providers of online services likely to be accessed by 
children, and trade associations representing such providers. She 
appreciates that different stakeholders will have different and particular 
areas of expertise. The Commissioner welcomes responses that are 
limited to specific areas of interest or expertise and only address 
questions within these areas, as well as those that address every question 
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asked. She is not seeking submissions from individual children or parents 
in this call for evidence as she intends to engage with these stakeholder 
groups via other dedicated and specifically tailored means. 


The Commissioner will use the evidence gathered to inform further work 
in developing the content of the Code. 


The scope of the Code 


The Act affords the Commissioner discretion to set such standards of age 
appropriate design as she considers to be desirable, having 

regard to the best interests of children, and to provide such guidance as 
she considers appropriate. 


In exercising this discretion the Act requires the Commissioner to have 
regard to the fact that children have different needs at different ages, and 
to the United Kingdom’s obligations under the United Nations Convention 
on the Rights of the Child. 


During Parliamentary debate the Government committed to supporting 
the Commissioner in her development of the Code by providing her with a 
list of ‘minimum standards to be taken into account when designing it.’ 
The Commissioner will have regard to this list both in this call for 
evidence, and when exercising her discretion to develop such standards 
as she considers to be desirable 


In developing the Code the Commissioner will also take into account that 
the scope and purpose of the Act, and her role in this respect, is limited to 
making provision for the processing of personal data. 


Responses to this call for evidence must be submitted by 19 September 
2018. You can submit your response in one of the following ways: 


Online 


Download this document and email to: 


childrenandtheGDPR@ICO.org.uk 


Print off this document and post to: 

Age Appropriate Design Code call for evidence 
Engagement Department 

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 
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Cheshire SK9 5AF 


If you would like further information on the call for evidence please 
telephone 0303 123 1113 and ask to speak to the Engagement 
Department about the Age Appropriate Design Code or email 


childrenandtheGDPR@ICO.org.uk 


Privacy statement 

For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 
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Section 1: Your views and evidence 


Please provide us with your views and evidence in the following areas: 


Development needs of children at different ages 


The Act requires the Commissioner to take account of the development 
needs of children at different ages when drafting the Code. 


The Commissioner proposes to use their age ranges set out in the report 
Digital Childhood - addressing childhood development milestones in the 
Digital Environment as a starting point in this respect. This report draws 
upon a number of sources including findings of the United Kingdom 
Council for Child Internet Safety (UKCCIS) Evidence Group in its literature 
review of Children’s online activities risks and safety. 


The proposed age ranges are as follows: 


3-5 
6-9 
10-12 
13-15 
16-17 


Q1. In terms of setting design standards for the processing of children’s 
personal data by providers of ISS (online services), how appropriate you 
consider the above age brackets would be (delete as appropriate): 


Quite appropriate 


Q1A. Please provide any views or evidence on how appropriate you 
consider the above age brackets would be in setting design standards for 
the processing of children’s personal data by providers of ISS (online 
services), 


Aligning broadly with school key stages would seem appropriate and 
appreciate the difference as children become 13. SWGfL would suggest 
considering ‘Education in a Connected World’; a framework of digital 
competencies developed by UK Council for Internet Safety and published 
by DCMS in 2018. The framework uses age brackets that mirror UK 
education systems - early years-7, 8-11, 11-14 and over 14. The 
transition in at age 11 typically between primary and secondary phasing 
is a significant one, especially in digital terms 
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Q2. Please provide any views or evidence you have on children’s 
development needs, in an online context in each or any of the above age 
brackets. 


We see much variation in technology use for the 10-12 year old bracket 
given the transition from primary to secondary schooling - the standards 
for a 10 year old will vary significantly to that of a 12 year old 


The United Nations Convention on the Rights of the Child 


The Data Protection Act 2018 requires the Commissioner to take account 
of the UK’s obligations under the UN Convention on the Rights of the Child 
when drafting the Code. 


Q3. Please provide any views or evidence you have on how the 
Convention might apply in the context of setting design standards for the 
processing of children’s personal data by providers of ISS (online 
services) 


SWGfL would refer to the UK Safer Internet Centre response for this 
question 


Aspects of design 


The Government has provided the Commissioner with a list of areas which 
it proposes she should take into account when drafting the Code. 


These are as follows: 
e default privacy settings, 
e data minimisation standards, 
e the presentation and language of terms and conditions and privacy 
notices, 
e uses of geolocation technology, 
e automated and semi-automated profiling, 
e transparency of paid-for activity such as product placement and 
marketing, 
the sharing and resale of data, 
the strategies used to encourage extended user engagement, 
user reporting and resolution processes and systems, 
the ability to understand and activate a child’s right to erasure, 
rectification and restriction, 
e the ability to access advice from independent, specialist advocates 
on all data rights, and 
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e any other aspect of design that the commissioner considers 
relevant. 


Q4. Please provide any views or evidence you think the Commissioner 
should take into account when explaining the meaning and coverage of 
these terms in the code. 


Services Accessible for Children 

The code should apply to any online service that is accessible to anyone 
under 18 as defined in their terms and conditions or privacy statements, 
for example this would include those services accessible to anyone over 
13 years old 


Q5. Please provide any views or evidence you have on the following: 


Q5A. about the opportunities and challenges you think might arise in 
setting design standards for the processing of children’s personal data by 
providers of ISS (online services), in each or any of the above areas. 


SWGfL welcomes a ‘better by design’ approach and suggests the following 
opportunities and challenges in settings design standards 


Terms and Conditions 

SWGfL would suggest that provider Terms and Conditions and Privacy 
statements are there for the benefit of the provider rather than the user. 
The majority of the children and adults that SWGfL and UK Safer Internet 
Centre have spoken to do not read Terms and Conditions together with 
Privacy statements. The report Growing Up Digital by the Children’s 
Commissioner in England (Jan 2017) makes exactly this point and calls 
for clearer statements. 


Over recent years there has been work to better illustrate and articulate 
the details contained within terms and conditions and highlight the use of 
‘labels’. We are all familiar with nutritional labelling on food, laundry 
labelling on clothes and eco labels describing energy ratings on items, but 
terms and conditions and privacy statements remain resolutely 
inaccessible, especially for children. Labelling will enable users to 
understand, at a glance, aspects of the terms and conditions, in particular 
what data is collected and how it is used. SWGfL, on behalf of UK Safer 
Internet Centre, has an active project to utilise labelling technologies and 
recommends that labelling for terms and conditions is considered 


Whilst labels would be a significant improvement, terms and conditions 


are still important to cover all aspects of the services, however the 
readability and accessibility of these should be directly equivalent to the 
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age of users able to access the service. For example services which are 
designed for anyone over 13, should be accessible to a 13 year old old 
and measured using reading indices (eg http://gunning-fog-index.com/). 
Currently providers are required to record that users ‘accept’ the terms, 
but would suggest that acceptance is only possible if users ‘understand’. 
Providers should therefore evidence that users both understand and 
accept. 


Providers should be required to notify users of changes to the terms and 
conditions or privacy statements 


User reporting and resolution processes and systems 

Reporting mechanisms are important for ISS to provide. In line with ISS 
community standards, children should have recourse to complain, to have 
their data removed and/or harmful content removed from the providers 
services 


UK Safer Internet Centre has just released a national ‘Reporting Harmful 
Content’ hub that accepts complaints from users aged 13 and over who, 
having reported content to an ISS, the complainant considers the provider 
to have taken no or insufficient action. The hub will consider the 
complaint and provide a more in-depth response and/or work with the 
ISS to remove the content 


Q5B. about how the ICO, working with relevant stakeholders, might use 
the opportunities presented and positively address any challenges you 
have identified. 


Schools 

SWGfL created and released an online safety self review mechanism - 360 
degree safe in 2009 and currently used by over 12,500 schools. The 
system enables schools to rate their provision against a set of 28 different 
aspects to determine their performance and create a development plan. 
This rating data discloses the relative performance of all schools and is 
captured in an annual ‘state of the nation’ assessment report 


(www.swofl.org.uk/report2017). 


Data Protection is one of the 28 aspects and is in context of the “ability of 
the school to be compliant with the current Data Protection Act and 
Freedom of Information legislation (which includes the General Data 
Protection Regulation compliance). It describes the ability of the school to 
effectively control practice through the implementation of policy, 
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procedure and education of all users”. In 2017 we concluded that the 
relative performance of data protection was weak in comparison with the 
other 27 aspects - it ranked as 22 out of 28. The data suggests that 
33.371% of schools have no data protection policy (either no policy or 
policy is in development). There is further data and evidence within the 
dataset and report relating to schools management of data and 
information. 


As a further effort to support schools with their data protection processes, 
a data protection self-review tool, 360data was launched in June 2016. 
360data is based on the same mechanism as 360dgree safe but provides 
16 aspects for self-review alongside policy templates. The online self 
review application supports and challenges schools in assessing and rating 
their current data and information security provision. Whilst the numbers 
of participating schools are not statistically representative, the aggregated 
rating data suggests that weaknesses include Data Protection Impact 
Assessments as well as how Governors are involved and the Third party 
arrangements that schools have. 


It is clear from this evidence that schools require significant help and 
support and would welcome ICO engagement in supporting both SWGfL 
and UK Safer Internet Centre in addressing this issue. 


Q5C. about what design standards might be appropriate (ie where the bar 
should be set) in each or any of the above areas and for each or any of 
the proposed age brackets. 


Q5D. examples of ISS design you consider to be good practice. 


360 degree safe - www.360safe.org.uk 
360data - www.360data.org.uk 


Example of using AI to read Terms and Conditions / Privacy statements 
Polisis - https://pribot.org/polisis 


Usable Privacy - https://usableprivacy.org/ 


https: //moviestarplanet.zendesk.com/hc/en-gb/categories/201435769- 


MovieStarPlanet and https://web.popjam.com/home are simple to 


understand, and easy to navigate. 


Q5E. about any additional areas, not included in the list above that you 
think should be the subject of a design standard. 
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Q6. If you would be interested in contributing to future solutions focussed 
work in developing the content of the code please provide the following 
information. The Commissioner is particularly interested in hearing from 
bodies representing the views of children or parents, child development 
experts and trade associations representing providers of online services 
likely to be accessed by children, in this respect. 


ane 
email 


Brief summary of what you think you could offer 


SWGfL (www.swodfl.org.uk) is a charity working with schools and other 
organisations to provide safe and secure online access and resources. 
SWGfL has developed an international reputation within online safety and 
recognised with a number of awards. It is a founding member of UKCCIS 
(UK Council for Child Internet Safety) and has spoken at conferences 
across Europe, America and Africa. 


SWGfL, alongside partners Childnet and Internet Watch Foundation, lead 
the UK Safer Internet Centre as part of the European Commission’s Safer 
Internet Programme. The Centre is the national awareness centre and is 
responsible for raising the nation’s attention to online safety issues as well 
as managing online criminal content and supporting professionals via its 
unique helpline. 


SWGfL has built a global reputation with supporting schools with online 
safety, evidence from its array of multi award winning services, for 
example 360 degree safe and BOOST. 360 degree safe is enabling over 
12,500 schools to review and improve their own online safety provision. 


SWGfL would be able to work with the ICO in a variety of ways, including 
with schools to both from an sector perspective but also from the 
education of children and parents 


Further views and evidence 


Q7. Please provide any other views or evidence you have that you 
consider to be relevant to this call for evidence. 
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Section 2: About you 


Are you: 


A body representing the views or interests of children? 
Please specify: 


A body representing the views or interests of parents? 
Please specify: 


A child development expert? 
Please specify: 


A provider of ISS likely to be accessed by children? 
Please specify: 


A trade association representing ISS providers? 
Please specify: 


An ICO employee? 


Other? 
Please specify: 


Thank you for responding to this call for evidence. 
We value your input. 
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